aiotestking uk

70-417 Exam Questions - Online Test


70-417 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. Your network contains two DNS servers named DNS1 and DNS2 that run Windows Server 2012 R2. DNS1 has a primary zone named contoso.com. DNS2 has a secondary copy of the contoso.com zone. 

You need to log the zone transfer packets sent between DNS1 and DNS2. 

What should you configure? 

A. debug logging from DNS Manager 

B. logging from Windows Firewall with Advanced Security 

C. monitoring from DNS Manager 

D. a Data Collector Set (DCS) from Performance Monitor 

Answer:

Explanation: Monitoring DNS with the DNS Console The DNS management console includes functionality that enables you to use the console to monitor DNS activity: 

*

 Event Logging tab: You can access the Event Logging tab located within the Properties dialog box of the DNS server to specify the DNS events that you want to monitor. Through the Event Logging tab, you can limit the events which are written to the DNS Events log. 

*

 Monitoring tab: The Monitoring tab is also located within the Properties dialog box of the DNS server. This tab allows you to test querying of the DNS server. 

Reference: Monitoring and Troubleshooting DNS 

Q2. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server 1. Server1 runs Windows Server 2012 R2. 

You need to create a 3-TB virtual hard disk (VHD) on Server1. 

Which tool should you use? 

A. New-StoragePool 

B. Diskpart 

C. File Server Resource Manager (FSRM) 

D. New-StorageSubsytemVirtualDisk 

Answer:

Explanation: You can create a VHD from either the Disk Management snap-in or the command line (diskpart). From the DiskPart command-line tool at an elevated command prompt, run the create vdisk command and specify the file (to name the file) and maximum (to set the maximum size in megabytes) parameters. The following code demonstrates how to create a VHD file at C:\vdisks\disk1.vdh with a maximum file size of 16 GB (or 16,000 MB). DiskPart Microsoft DiskPart version 6.1.7100 Copyright (C) 1999-2008 Microsoft Corporation. On computer: WIN7 DISKPART> create vdisk file="C:\vdisks\disk1.vhd" maximum=16000 

Q3. Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8. 

Your company has users who work from home. Some of the home users have desktop computers. Other home users have laptop computers. All of the computers are joined to the domain. 

All of the computer accounts are members of a group named Group1. Currently, the home users access the corporate network by using a PPTP VPN. You implement DirectAccess by using the default configuration and you specify Group1 as the DirectAccess client group. 

The home users who have desktop computers report that they cannot use DirectAccess to access the corporate network. 

The home users who have laptop computers report that they can use DirectAccess to access the corporate network. 

You need to ensure that the home users who have desktop computers can access the network by using DirectAccess. 

What should you modify? 

A. The WMI filter for Direct Access Client Settings GPO 

B. The conditions of the Connections to Microsoft Routing and Remote Access server policy 

C. The membership of the RAS and IAS Servers group 

D. The security settings of the computer accounts for the desktop computers 

Answer:

Explanation: 

The default settings includes creating a GPO that has a WMI filter for laptops only. 

Q4. RAG DROP 

You have a server named Server1 that runs Windows Server 2012 R2. You are asked to test Windows Azure Online Backup to back up Server1. You need to back up Server1 by using Windows Azure Online Backup. 

Which four actions should you perform in sequence? To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order. 

Answer:  

Q5. Which terminology is being described below? 

These trusts are sometimes necessary when users need access to resources that are located in a Windows NT 4.0 domain or in a domain that is in a separate Active Directory Domain Services (AD DS) forest that is not joined by a forest trust. 

A. Shortcut Trusts 

B. Realm Trusts 

C. Forest Trusts 

D. External Trust 

Answer:

Explanation: 

You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest http://technet.microsoft.com/enus/library/cc775736%28v=ws.10%29.aspx Trust types 

http://technet.microsoft.com/en-us/library/cc731297.aspx Understanding When to Create a Realm Trust When to create a realm trust You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from non transitive to transitive and back. Realm trusts can also be either one-way or two way. 

Q6. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two organizational units (OUs) named OU1 and OU2 in the root of the domain. Two Group Policy objects (GPOs) named GPO1 and GP02 are created. GPO1 is linked to OU1. 

GPO2 is linked to OU2. OU1 contains a client computer named Computer1. OU2 contains a user named User1. You need to ensure that the GPOs Applied to Computer1areApplied to User1 when User1 logs on. 

What should you configure? 

A. The GPO Status 

B. WMI Filtering 

C. GPO links 

D. Item-level targeting 

Answer:

Q7. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012. 

The domain contains an Edge Server named Server1. Server1 is configured as a DirectAccess server. Server1 has the following settings: 

Internal DNS name: Server1.contoso.com External DNS name: dal.contoso.com Internal IPv6 address: 2002:cla8:6a:3333::l External IPv4 address: 65.55.37.62 

Your company uses split-brain DNS for the contoso.com zone. 

You run the Remote Access Setup wizard as shown in the following exhibit. (Click the Exhibit button.) 

... 

You need to ensure that client computers on the Internet can establish DirectAccess connections to Server1. 

Which additional name suffix entry should you add from the Remote Access Setup wizard? 

A. A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value 

B. A Name Suffix value of dal.contoso.com and a blank DNS Server Address value 

C. A Name Suffix value of Server1.contoso.com and a DNS Server Address value of 

65.55.37.62 

D. A Name Suffix value of dal.contoso.com and a DNS Server Address value of 

65.55.37.62 

Answer:

Explanation: 

*

 In a non-split-brain DNS environment, the Internet namespace is different from the intranet namespace. For example, the Contoso Corporation uses contoso.com on the Internet and corp.contoso.com on the intranet. Because all intranet resources use the corp.contoso.com DNS suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to intranet DNS servers. DNS name queries for names with the contoso.com suffix do not match the corp.contoso.com intranet namespace rule in the NRPT and are sent to Internet DNS servers. 

*

 Split-brain DNS is a configuration method that enables proper resolution of names (e.g., example.com) from both inside and outside of your local network. 

Note: For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and decide which resources the DirectAccess client should reach, the intranet version or the public (Internet) version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the public version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients. Name suffixes that do not have corresponding DNS servers are treated as exemptions. 

Reference: Design Your DNS Infrastructure for DirectAccess 

Q8. Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. All servers run Windows Server 2012. 

You complete the Active Directory Federation Services Configuration Wizard on Server1. 

You need to ensure that client devices on the internal network can use Workplace Join. 

Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.) 

A. Run Enable AdfsDeviceRegistration -PrepareActiveDirectory. 

B. Edit the multi-factor authentication global authentication policy settings. 

C. Edit the primary authentication global authentication policy settings. 

D. Run Set-AdfsProxyPropertiesHttpPort 80. 

E. Run Enable-AdfsDeviceRegistration. 

Answer: C,E 

Explanation: 

* To enable Device Registration Service 

On your federation server, open a Windows PowerShell command window and type: 

Enable-AdfsDeviceRegistration 

Repeat this step on each federation farm node in your AD FS farm.. 

Enable seamless second factor authentication Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a ‘known’ device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK. 

Q9. Your network contains an Active Directory domain named contoso.com. 

Network Policy Server (NPS) is deployed to the domain. 

You plan to deploy Network Access Protection (NAP). 

You need to configure the requirements that are validated on the NPS client computers. 

What should you do? 

A. From the Network Policy Server console, configure a health policy. 

B. From the Network Policy Server console, configure a network policy. 

C. From a Group Policy object (GPO), configure the NAP Client Configuration security setting. 

D. From a Group Policy object (GPO), configure the Network Access Protection Administrative Templates setting. 

E. From the Network Policy Server console, configure a Windows Security Health Validator (WSHV) policy. 

Answer: E Explanation: 

I feel the question is a bit unclear still. 

http://technet.microsoft.com/en-us/library/cc731260.aspx 

WSHV settings 

If a client computer is noncompliant with one of the requirements of the WSHV, it is 

considered noncompliant with the WSHV as a whole. If a computer is determined to be 

noncompliant with the WSHV, the following actions might be taken: 

I believe that the validation will take into account Health and Network, so it has to be both 

of them. 

I don't see A or D being a valid choice. 

Leaving us with E. And, the site kinda confirm this. 

Q10. Your network contains an Active Directory forest named contoso.com. The forest contains four domains. All servers run Windows Server 2012 R2. 

Each domain has a user named User1. 

You have a file server named Server1 that is used to synchronize user folders by using the 

Work Folders role service. 

Server1 has a work folder named Sync1. 

You need to ensure that each user has a separate folder in Sync1. 

What should you do? 

A. From Windows Explorer, modify the Sharing properties of Sync1 

B. Run the Set-SyncServerSetting cmdlet 

C. From File and Storage Services in Server Manager, modify the properties of Sync1 

D. Run the Set-SyncShare cmdlet 

Answer: